How to do it...

To show you the power of Volatility, we decided to use a memory image from a system infected with known malware - Stuxnet. Why? Because this memory image is freely available, so you can download it and use it for training.

Let's start by collecting information about our image.

1. To do this, start cmd.exe.
2. Change the directory to the one with the Volatility Standalone Executable, and use the imageinfo plugin:

volatility_2.6_win64_standalone.exe -f              
X:stuxnet.vmem imageinfo
Volatility Foundation Volatility Framework 2.6
INFO : volatility.debug : Determining profile based    
on KDBG          
search...
Suggested Profile(s) : WinXPSP2x86, 
WinXPSP3x86 (Instantiated    with WinXPSP2x86)
AS Layer1 : IA32PagedMemoryPae (Kernel AS)
AS Layer2 : FileAddressSpace (X:stuxnet.vmem)
PAE type : PAE
DTB : 0x319000L
KDBG : 0x80545ae0L
Number of Processors : 1
Image Type (Service Pack) : 3
KPCR for CPU 0 : 0xffdff000L
KUSER_SHARED_DATA : 0xffdf0000L
Image date and time : 2011-06-03 04:31:36 UTC+0000
Image local date and time : 2011-06-03 00:31:36      
-0400

The imageinfo plugin returned two suggested profiles. We know that this image was taken from a system running Windows XP with Service Pack 3, so the correct profile is WinXPSP3x86.

Now we know the correct profile, we can use it as a switch to collect information about the processes running on the infected machine.

1. To do this, we can use the pslist plugin:

volatility_2.6_win64_standalone.exe -f X:stuxnet.vmem    
--    
profile=WinXPSP3x86 pslist

Do you see anything suspicious? Yes, there are three copies of lsass.exe, and this is one of the signs of a Stuxnet infection.

Normally, only one lsass.exe process should be running, so we need to determine which two are malicious.

1. Look at the timestamps on figure 2.8. Two out of three processes started in 2011. Strange, isn't it? Now let's use the pstree plugin:

volatility_2.6_win64_standalone.exe -f
X:stuxnet.vmem --
profile=WinXPSP3x86 pstree

Our suspicious process, lsass.exe, is normally started by winlogon.exe.

1. Let's look at the figure: only one lsass.exe is started by winlogon.exe - the one with PID 680; the two others are started by services.exe! So, the lsass.exe processes with PIDs 868 and 1928 could be malicious.
2. We have two potentially malicious processes. Let's check the DLLs loaded by these processes using the dlllist plugin:

volatility_2.6_win64_standalone.exe -f X:stuxnet.vmem       
--   
profile=WinXPSP3x86 -p 868

volatility_2.6_win64_standalone.exe -f X:stuxnet.vmem 
profile=WinXPSP3x86 -p 1928

1. Look at figure 2.11. Anything suspicious? Yes! According to the Stuxnet threat description on F-Secure's website, an encrypted DLL file should be injected into a process, and it has the following name structure: [normaldll].ASLR.[random].
2. Look familiar? We have found another trace of Stuxnet - KERNEL32.DLL.ASLR.0360b7ab.

There is another extremely useful Volatility plugin - malfind. This plugin helps digital forensic examiners to find hidden or injected code/DLLs in the user mode memory. Let's use it for our suspicious lsass.exe processes:

volatility_2.6_win64_standalone.exe -f X:stuxnet.vmem     
--    
profile=WinXPSP3x86 malfind -p 868 --dump-dir    
X:Stuxnet

As you can see, we also used the --dump-dir switch to export the DLLs to a folder. After that we can, for example, upload them to VirusTotal. And of course, most of them are detected as malicious. For example, process.0x81c47c00.0x80000.dmp, extracted from lsass.exe with PID 1928, is detected by Dr.Web Antivirus as Trojan.Stuxnet.1.